diff --git a/policy-F13.patch b/policy-F13.patch index 519ed94..8e727ed 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -703,7 +703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.fc serefpolicy-3.7.19/policy/modules/admin/ncftool.fc --- nsaserefpolicy/policy/modules/admin/ncftool.fc 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/admin/ncftool.fc 2010-06-15 18:40:03.048768063 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/ncftool.fc 2010-08-13 09:45:26.896085235 +0200 @@ -0,0 +1,2 @@ + +/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0) @@ -791,8 +791,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.7.19/policy/modules/admin/ncftool.te --- nsaserefpolicy/policy/modules/admin/ncftool.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/admin/ncftool.te 2010-08-10 17:56:29.555085094 +0200 -@@ -0,0 +1,99 @@ ++++ serefpolicy-3.7.19/policy/modules/admin/ncftool.te 2010-08-13 08:38:27.092085187 +0200 +@@ -0,0 +1,100 @@ + +policy_module(ncftool,1.0.0) + @@ -810,6 +810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool + +type ncftool_t; +type ncftool_exec_t; ++corecmd_executable_file(ncftool_exec_t) +application_domain(ncftool_t, ncftool_exec_t) +domain_obj_id_change_exemption(ncftool_t) +domain_system_change_exemption(ncftool_t) @@ -1075,7 +1076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.19/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2010-08-10 16:41:00.472085275 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2010-08-13 08:05:22.243084958 +0200 @@ -21,8 +21,21 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) @@ -1148,7 +1149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink optional_policy(` amanda_manage_lib(prelink_t) -@@ -99,5 +119,63 @@ +@@ -99,5 +119,65 @@ ') optional_policy(` @@ -1204,6 +1205,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink + +miscfiles_read_localization(prelink_cron_system_t) + ++userdom_dontaudit_list_admin_dir(prelink_cron_system_t) ++ +optional_policy(` + cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t) +') @@ -8182,6 +8185,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t domain_use_interactive_fds(vmware_host_t) domain_dontaudit_read_all_domains_state(vmware_host_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.7.19/policy/modules/apps/webalizer.te +--- nsaserefpolicy/policy/modules/apps/webalizer.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/webalizer.te 2010-08-13 07:59:10.406085311 +0200 +@@ -85,6 +85,7 @@ + userdom_use_user_terminals(webalizer_t) + userdom_use_unpriv_users_fds(webalizer_t) + userdom_dontaudit_search_user_home_content(webalizer_t) ++userdom_dontaudit_list_admin_dir(webalizer_t) + + apache_read_log(webalizer_t) + apache_manage_sys_content(webalizer_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.7.19/policy/modules/apps/wine.fc --- nsaserefpolicy/policy/modules/apps/wine.fc 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/apps/wine.fc 2010-05-28 09:42:00.014611294 +0200 @@ -11606,7 +11620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.19/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2010-08-11 15:20:33.403085139 +0200 ++++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2010-08-13 09:46:40.562085238 +0200 @@ -28,17 +28,29 @@ corecmd_exec_shell(sysadm_t) @@ -11757,14 +11771,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') optional_policy(` -@@ -212,12 +250,22 @@ +@@ -212,12 +250,18 @@ ') optional_policy(` -+ ncftool_run(sysadm_t, sysadm_r) -+') -+ -+optional_policy(` + kerberos_exec_kadmind(sysadm_t) +') + @@ -11780,7 +11790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` kudzu_run(sysadm_t, sysadm_r) -@@ -227,9 +275,11 @@ +@@ -227,9 +271,11 @@ libs_run_ldconfig(sysadm_t, sysadm_r) ') @@ -11792,7 +11802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` logrotate_run(sysadm_t, sysadm_r) -@@ -252,8 +302,10 @@ +@@ -252,8 +298,10 @@ optional_policy(` mount_run(sysadm_t, sysadm_r) @@ -11803,7 +11813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` mozilla_role(sysadm_r, sysadm_t) ') -@@ -261,6 +313,7 @@ +@@ -261,6 +309,7 @@ optional_policy(` mplayer_role(sysadm_r, sysadm_t) ') @@ -11811,6 +11821,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` mta_role(sysadm_r, sysadm_t) +@@ -275,6 +324,10 @@ + ') + + optional_policy(` ++ ncftool_run(sysadm_t, sysadm_r) ++') ++ ++optional_policy(` + netutils_run(sysadm_t, sysadm_r) + netutils_run_ping(sysadm_t, sysadm_r) + netutils_run_traceroute(sysadm_t, sysadm_r) @@ -308,8 +361,14 @@ ') @@ -12645,8 +12666,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-08-11 11:43:12.141085035 +0200 -@@ -0,0 +1,448 @@ ++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-08-13 07:30:50.833085376 +0200 +@@ -0,0 +1,444 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -12806,10 +12827,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + ') + + optional_policy(` -+ ncftool_run(unconfined_t, unconfined_r) -+ ') -+ -+ optional_policy(` + networkmanager_dbus_chat(unconfined_usertype) + ') + @@ -15646,8 +15663,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.19/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/bind.if 2010-06-25 15:40:14.365137939 +0200 -@@ -359,7 +359,7 @@ ++++ serefpolicy-3.7.19/policy/modules/services/bind.if 2010-08-13 08:08:10.688085038 +0200 +@@ -269,6 +269,27 @@ + allow $1 named_var_run_t:dir setattr; + ') + ++####################################### ++## ++## Read BIND log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bind_read_log',` ++ gen_require(` ++ type named_zone_t; ++ type named_log_t; ++ ') ++ ++ files_search_var($1) ++ allow $1 named_zone_t:dir search_dir_perms; ++ read_files_pattern($1, named_log_t, named_log_t) ++') ++ + ######################################## + ## + ## Set the attributes of the BIND zone directory. +@@ -359,7 +380,7 @@ interface(`bind_admin',` gen_require(` type named_t, named_tmp_t, named_log_t; @@ -15656,7 +15701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind type named_cache_t, named_zone_t; type dnssec_t, ndc_t; type named_initrc_exec_t; -@@ -391,9 +391,6 @@ +@@ -391,9 +412,6 @@ admin_pattern($1, named_zone_t) admin_pattern($1, dnssec_t) @@ -15666,6 +15711,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind files_list_pids($1) admin_pattern($1, named_var_run_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.7.19/policy/modules/services/bind.te +--- nsaserefpolicy/policy/modules/services/bind.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/bind.te 2010-08-13 07:59:53.335085221 +0200 +@@ -240,6 +240,7 @@ + sysnet_dns_name_resolve(ndc_t) + + userdom_use_user_terminals(ndc_t) ++userdom_dontaudit_list_admin_dir(ndc_t) + + term_dontaudit_use_console(ndc_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.7.19/policy/modules/services/bitlbee.te --- nsaserefpolicy/policy/modules/services/bitlbee.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/bitlbee.te 2010-06-09 23:44:39.315208775 +0200 @@ -15909,8 +15965,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te --- nsaserefpolicy/policy/modules/services/boinc.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-08-11 11:26:59.359084985 +0200 -@@ -0,0 +1,150 @@ ++++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-08-13 07:57:07.812101911 +0200 +@@ -0,0 +1,151 @@ + +policy_module(boinc,1.0.0) + @@ -16003,10 +16059,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin + +domain_read_all_domains_state(boinc_t) + -+files_dontaudit_getattr_boot_dirs(boinc_t) -+ +files_read_etc_files(boinc_t) +files_read_usr_files(boinc_t) ++files_getattr_all_dirs(boinc_t) ++files_getattr_all_files(boinc_t) ++files_dontaudit_search_home(boinc_t) ++files_dontaudit_getattr_boot_dirs(boinc_t) + +fs_getattr_all_fs(boinc_t) + @@ -16032,6 +16090,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +allow boinc_project_t self:process { execmem execstack }; + +allow boinc_project_t self:fifo_file rw_fifo_file_perms; ++allow boinc_project_t self:shm create_shm_perms; ++allow boinc_project_t self:sem create_sem_perms; + +allow boinc_project_t boinc_project_var_lib_t:file entrypoint; +exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) @@ -16041,6 +16101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin + +allow boinc_project_t boinc_project_var_lib_t:file execmod; + ++allow boinc_project_t boinc_t:shm rw_sem_perms; +allow boinc_project_t boinc_t:shm rw_shm_perms; +allow boinc_project_t boinc_tmpfs_t:file { read write }; + @@ -16053,11 +16114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin + +corenet_tcp_connect_boinc_port(boinc_project_t) + -+dev_rw_xserver_misc(boinc_t) -+ -+files_getattr_all_dirs(boinc_t) -+files_getattr_all_files(boinc_t) -+files_dontaudit_search_home(boinc_t) ++dev_rw_xserver_misc(boinc_project_t) + +miscfiles_read_localization(boinc_project_t) + @@ -17139,7 +17196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.19/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-08-10 19:19:30.062085271 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-08-13 08:13:25.074085043 +0200 @@ -1,6 +1,13 @@ policy_module(clamav, 1.7.1) @@ -17191,7 +17248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam dev_read_rand(freshclam_t) dev_read_urand(freshclam_t) -@@ -189,10 +203,14 @@ +@@ -189,14 +203,24 @@ auth_use_nsswitch(freshclam_t) @@ -17206,7 +17263,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam optional_policy(` cron_system_entry(freshclam_t, freshclam_exec_t) ') -@@ -246,6 +264,14 @@ + ++tunable_policy(`clamd_use_jit',` ++ allow freshclam_t self:process execmem; ++', ` ++ dontaudit freshclam_t self:process execmem; ++') ++ + ######################################## + # + # clamscam local policy +@@ -246,6 +270,14 @@ mta_send_mail(clamscan_t) @@ -20103,7 +20170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-07-14 14:46:28.086159020 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-08-13 08:23:49.401085115 +0200 @@ -9,6 +9,9 @@ type dovecot_exec_t; init_daemon_domain(dovecot_t, dovecot_exec_t) @@ -20114,6 +20181,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove type dovecot_auth_t; type dovecot_auth_exec_t; domain_type(dovecot_auth_t) +@@ -19,7 +22,7 @@ + files_tmp_file(dovecot_auth_tmp_t) + + type dovecot_cert_t; +-files_type(dovecot_cert_t) ++miscfiles_cert_type(dovecot_cert_t) + + type dovecot_deliver_t; + type dovecot_deliver_exec_t; @@ -54,15 +57,16 @@ # dovecot local policy # @@ -20414,8 +20490,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.7.19/policy/modules/services/fail2ban.te --- nsaserefpolicy/policy/modules/services/fail2ban.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/fail2ban.te 2010-07-13 09:14:20.047502958 +0200 -@@ -95,5 +95,9 @@ ++++ serefpolicy-3.7.19/policy/modules/services/fail2ban.te 2010-08-13 08:08:26.382085092 +0200 +@@ -91,9 +91,17 @@ + ') + + optional_policy(` ++ bind_read_log(fail2ban_t) ++') ++ ++optional_policy(` + ftp_read_log(fail2ban_t) ') optional_policy(` @@ -22029,7 +22113,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.19/policy/modules/services/ldap.te --- nsaserefpolicy/policy/modules/services/ldap.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/ldap.te 2010-05-28 09:42:00.121610589 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/ldap.te 2010-08-13 08:23:10.016085503 +0200 +@@ -11,7 +11,7 @@ + init_daemon_domain(slapd_t, slapd_exec_t) + + type slapd_cert_t; +-files_type(slapd_cert_t) ++miscfiles_cert_type(slapd_cert_t) + + type slapd_db_t; + files_type(slapd_db_t) @@ -28,9 +28,15 @@ type slapd_replog_t; files_type(slapd_replog_t) @@ -25447,7 +25540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oide diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.19/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/openvpn.te 2010-06-28 16:12:48.219149997 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/openvpn.te 2010-08-13 08:05:55.420085199 +0200 @@ -25,6 +25,9 @@ type openvpn_etc_rw_t; files_config_file(openvpn_etc_rw_t) @@ -25468,7 +25561,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open allow openvpn_t openvpn_var_log_t:file manage_file_perms; logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) -@@ -103,6 +109,9 @@ +@@ -69,6 +75,7 @@ + kernel_read_net_sysctls(openvpn_t) + kernel_read_network_state(openvpn_t) + kernel_read_system_state(openvpn_t) ++kernel_request_load_module(openvpn_t) + + corecmd_exec_bin(openvpn_t) + corecmd_exec_shell(openvpn_t) +@@ -103,6 +110,9 @@ auth_use_pam(openvpn_t) @@ -25478,7 +25579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open logging_send_syslog_msg(openvpn_t) miscfiles_read_localization(openvpn_t) -@@ -114,6 +123,7 @@ +@@ -114,6 +124,7 @@ sysnet_etc_filetrans_config(openvpn_t) userdom_use_user_terminals(openvpn_t) @@ -30469,7 +30570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.19/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-07-27 14:18:53.043073782 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-08-13 07:48:03.254335706 +0200 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -30681,31 +30782,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t self:process { setrlimit signal_perms }; allow swat_t self:fifo_file rw_fifo_file_perms; allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -@@ -626,23 +665,23 @@ +@@ -626,23 +665,25 @@ allow swat_t self:udp_socket create_socket_perms; allow swat_t self:unix_stream_socket connectto; --allow swat_t nmbd_t:process { signal signull }; -- --allow swat_t nmbd_exec_t:file mmap_file_perms; --can_exec(swat_t, nmbd_exec_t) -- --allow swat_t nmbd_var_run_t:file { lock read unlink }; -- - samba_domtrans_smbd(swat_t) - allow swat_t smbd_t:process { signal signull }; ++samba_domtrans_smbd(swat_t) ++allow swat_t smbd_t:process { signal signull }; +allow smbd_t swat_t:process signal; + +samba_domtrans_nmbd(swat_t) -+allow swat_t nmbd_t:process { signal signull }; + allow swat_t nmbd_t:process { signal signull }; +allow nmbd_t swat_t:process signal; - allow swat_t smbd_var_run_t:file { lock unlink }; +-allow swat_t nmbd_exec_t:file mmap_file_perms; +-can_exec(swat_t, nmbd_exec_t) ++allow swat_t smbd_var_run_t:file { lock unlink }; +-allow swat_t nmbd_var_run_t:file { lock read unlink }; +allow swat_t smbd_port_t:tcp_socket name_bind; -+ + +-samba_domtrans_smbd(swat_t) +-allow swat_t smbd_t:process { signal signull }; +allow swat_t nmbd_port_t:udp_socket name_bind; -+ + +-allow swat_t smbd_var_run_t:file { lock unlink }; ++allow swat_t nmbd_var_run_t:file read_file_perms; + rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) @@ -30714,7 +30816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t smbd_exec_t:file mmap_file_perms ; allow swat_t smbd_t:process signull; -@@ -657,11 +696,14 @@ +@@ -657,11 +698,14 @@ files_pid_filetrans(swat_t, swat_var_run_t, file) allow swat_t winbind_exec_t:file mmap_file_perms; @@ -30730,7 +30832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) kernel_read_network_state(swat_t) -@@ -700,6 +742,8 @@ +@@ -700,6 +744,8 @@ miscfiles_read_localization(swat_t) @@ -30739,7 +30841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -713,12 +757,23 @@ +@@ -713,12 +759,23 @@ kerberos_use(swat_t) ') @@ -30764,7 +30866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dontaudit winbind_t self:capability sys_tty_config; allow winbind_t self:process { signal_perms getsched setsched }; allow winbind_t self:fifo_file rw_fifo_file_perms; -@@ -779,6 +834,9 @@ +@@ -779,6 +836,9 @@ corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -30774,7 +30876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) -@@ -788,7 +846,7 @@ +@@ -788,7 +848,7 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) @@ -30783,7 +30885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(winbind_t) -@@ -866,6 +924,18 @@ +@@ -866,6 +926,18 @@ # optional_policy(` @@ -30802,7 +30904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -876,9 +946,12 @@ +@@ -876,9 +948,12 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -36593,7 +36695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump. dev_read_sysfs(kdump_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.19/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-07-23 13:50:23.212138972 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-08-13 08:03:21.834085291 +0200 @@ -127,17 +127,16 @@ /usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -36647,7 +36749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ') dnl end distro_redhat # -@@ -319,14 +315,152 @@ +@@ -319,14 +315,153 @@ /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -36720,6 +36822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib(64)?/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libpostproc4vlc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + @@ -37320,8 +37423,75 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi /var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.19/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/miscfiles.if 2010-05-28 09:42:00.507610874 +0200 -@@ -305,9 +305,6 @@ ++++ serefpolicy-3.7.19/policy/modules/system/miscfiles.if 2010-08-13 08:51:13.070085230 +0200 +@@ -1,5 +1,49 @@ + ## Miscelaneous files. + ++####################################### ++## ++## Make the specified type usable as a cert file. ++## ++## ++##

++## Make the specified type usable for cert files. ++## This will also make the type usable for files, making ++## calls to files_type() redundant. Failure to use this interface ++## for a temporary file may result in problems with ++## cert management tools. ++##

++##

++## Related interfaces: ++##

++## ++##

++## Example: ++##

++##

++## type mycertfile_t; ++## cert_type(mycertfile_t) ++## allow mydomain_t mycertfile_t:file read_file_perms; ++## files_search_etc(mydomain_t) ++##

++## ++## ++## ++## Type to be used for files. ++## ++## ++## ++# ++interface(`miscfiles_cert_type',` ++ gen_require(` ++ attribute cert_type; ++ ') ++ ++ typeattribute $1 cert_type; ++ files_type($1) ++') ++ + ######################################## + ## + ## Read system SSL certificates. +@@ -13,12 +57,12 @@ + # + interface(`miscfiles_read_certs',` + gen_require(` +- type cert_t; ++ attribute cert_type; + ') + +- allow $1 cert_t:dir list_dir_perms; +- read_files_pattern($1, cert_t, cert_t) +- read_lnk_files_pattern($1, cert_t, cert_t) ++ allow $1 cert_type:dir list_dir_perms; ++ read_files_pattern($1, cert_type, cert_type) ++ read_lnk_files_pattern($1, cert_type, cert_type) + ') + + ######################################## +@@ -305,9 +349,6 @@ allow $1 locale_t:dir list_dir_perms; read_files_pattern($1, locale_t, locale_t) read_lnk_files_pattern($1, locale_t, locale_t) @@ -37331,6 +37501,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi ') ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.7.19/policy/modules/system/miscfiles.te +--- nsaserefpolicy/policy/modules/system/miscfiles.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/miscfiles.te 2010-08-13 08:20:38.726085384 +0200 +@@ -6,11 +6,13 @@ + # Declarations + # + ++attribute cert_type; ++ + # + # cert_t is the type of files in the system certs directories. + # + type cert_t; +-files_type(cert_t) ++miscfiles_cert_type(cert_t) + + # + # fonts_t is the type of various font diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.7.19/policy/modules/system/modutils.if --- nsaserefpolicy/policy/modules/system/modutils.if 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/system/modutils.if 2010-06-16 22:16:32.597859978 +0200 @@ -42656,7 +42844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.19/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2010-07-13 08:35:19.145502757 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2010-08-13 08:20:57.407085107 +0200 @@ -29,18 +29,18 @@ ## @@ -42712,7 +42900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_user_home_content(user_home_t) fs_associate_tmpfs(user_home_t) files_associate_tmp(user_home_t) -@@ -97,3 +107,40 @@ +@@ -97,3 +107,41 @@ type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) @@ -42726,6 +42914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +ubac_constrained(home_bin_t) + +type home_cert_t; ++miscfiles_cert_type(home_cert_t) +userdom_user_home_content(home_cert_t) +ubac_constrained(home_cert_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index a5f8bbf..f9a9a40 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 46%{?dist} +Release: 47%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,13 @@ exit 0 %endif %changelog +* Fri Aug 13 2010 Miroslav Grepl 3.7.19-47 +- Fixes for boinc-project policy +- Allow swat to read nmbd pid file +- Allow fail2ban to read BIND log files +- Fix cert handling from Dan +- Remove transition from unconfined to ncftool domain + * Wed Aug 11 2010 Miroslav Grepl 3.7.19-46 - Allow ipsec-mgmt to dbus chat with unconfined - Fixes for boinc policy